Smartcard Developer Association Clones Digital GSM Cellphones

San Francisco, Monday, 13 April 1998. The Smartcard Developer
Association (SDA) and two U.C. Berkeley researchers jointly announced
today that digital GSM cellphones are susceptible to cloning, contrary
to the belief of even the telecommunication providers that have fielded
them. GSM (Groupe Spéciale Mobile) is the most widely used cellphone
standard in the world, with more than 79 million GSM phones in use
worldwide. In contrast, there are about 58 million U.S cellphone users
of all kinds both analog and digital, including some GSM.

The SDA became involved with GSM security because GSM phones have a
small smartcard inside them which holds the identity of the cellphone.
This small smartcard is called a SIM, for Subscriber Identification
Module. The SIM must keep the identity inside a secret and uses
cryptography to protect it. The SDA has organized and coordinated the
activities leading to a breach in the cryptographic protection. The
breach allows the extraction of the secret inside the SIM, after which
the secret may be inserted into a different SIM. A cellphone with the
new SIM has the same identity as the original phone.

The GSM standard was designed by an association of European cellular
network operators and equipment manufacturers. The cryptographic
protection is but a small part of the 130 volumes and over 6,000 pages
which make up the GSM standard. Unfortunately, the cryptography was
designed in secret and is still kept secret, provided to individuals at
smartcard and cellphone manufacturers on a ``need-to-know'' basis.

``As shown so many times in the past, a design process conducted in
secret and without public review will invariably lead to an insecure
system,'' says Marc Briceno, Director of the SDA. ``Here we have yet
another example of how security by obscurity is no security at all.''

The origin of the breach was when the SDA discovered the cryptographic
algorithms used inside the SIM's and cellphones. The SDA first verified
that the algorithms were accurate. The exact details of the algorithms
were not known to the public but the verified algorithms matched the
facts that were publicly known. Next the SDA brought in David Wagner
and Ian Goldberg, researchers in the Internet Security, Applications,
Authentication and Cryptography (ISAAC) group at the University of
California, Berkeley. Within a day, Wagner and Goldberg had found a
fatal cryptographic flaw in COMP128, the algorithm used to protect the
identity inside the SIM. They created a system to exploit the flaw by
repeatedly asking the SIM to identify itself; by processing the
responses they were able to extract the secret from inside the SIM.

``There's no way that we would have been able to break the cryptography
so quickly if the design had been subjected to public scrutiny,'' says
David Wagner. ``Nobody is that much better than the rest of the
cryptography research community.'' David Wagner was previously known
for his work on the breach of CMEA, a cipher used in digital cellphones.
As in this case, the cryptographers who did the work on CMEA blamed the
design process for the insecurity of the system.

Serious Implications, Possible Remedies

Almost all GSM network operators are vulnerable to the new breach.
There are replacements for COMP128 permitted in the GSM system, but so
far the SDA has not found a network which does not use COMP128. The SDA
is currently in the process of determining which cellular networks are
vulnerable. Nor are U.S. companies immune. Many U.S. networks use GSM
standards in their offerings of digital PCS service, Pacific Bell among
them. Indeed, it was a SIM signed up to the Pacific Bell PCS service
that the ISAAC group successfully attacked.

One of the main advantages touted for the new digital services is that
the phones cannot be cloned. A billboard advertisement by Pacific Bell
well known in the San Francisco area portrays a sheep, presumably a
cloned sheep, and a claim that the digital cellphone is different.
Cloned phones are widely used in criminal ``call-sell'' operations,
which sell international and long distance service from cloned
telephones.

The fraud potential is exacerbated by a blind reliance of equipment
engineers on the belief that the cryptography would never be broken.
``Much switching equipment never checks to see if two telephones with
the same identity are on-line at the same time,'' says Yobie Benjamin,
Chief Knowledge Officer at Cambridge Technology Partners.

The SDA points out that the breach may be correctable, but this cannot
be known for certain at the current time. ``We anticipate that this is
but the first in a family of related vulnerabilities,'' says Goldberg of
the ISAAC group. Remedies cannot be adequately designed until more is
known about the potential for other weaknesses. The SDA cautions that
no practical over-the-air attack is known yet but that one should not be
ruled out. Unlike the current breach, which requires physical
possession of a SIM, an over-the-air attack would extract secrets from
SIM's nestled inside their phones and without the cooperation of the
owner.

Any fix of the system is certain to be expensive. ``At the least, all
the SIM's would have to be reissued. A software upgrade for all the
authentication centers shouldn't be ruled out'', says Bob Keyes, a
consultant with Enterprise Security Services at Cambridge Technology
Partners. Changes to each component would not be particularly large,
but the changes in total would be extensive, affecting many different
pieces of the system.

Indications of Government Interference

A secret design process is always fraught with peril, but the situation
worsens when government agencies meddle. One of the discoveries that
the SDA made about GSM security was a deliberate weakening of the
confidentiality cipher used to keep eavesdroppers from listening to a
conversation. This cipher, called A5, has a 64 bit key, but only 54
bits of which are used. The other ten bits are simply replaced with
zeros. ``The only party who has an interest in weakening voice privacy
is a national surveillance agency,'' says Briceno. ``Consumers want
privacy, and the manufacturers and network operators incur no cost
whatsoever by using a full-size key.''

The U.S. systems may well befall the same fate. The National Security
Agency is known to have pressured the analogous U.S. standards body to
weaken voice privacy. ``The U.S. systems aren't much better,'' says
Phil Karn, an engineer with Qualcomm, a maker of digital CDMA
cellphones. Karn has had experience in the standardization process.
``Unless consumers demand better, the situation is unlikely to change,''
he says.

The lessons for electronic commerce are clear. Only standards created
in an open environment and subject to public comment are acceptable.
Any other process has always led to losses for service providers and
consumers alike. ``Every part of a system design requires a publicly
accepted justification, without exception,'' says Eric Hughes, Chief
Designer at SigNet Assurance, a company building electronic commerce
infrastructure. So far the signs are encouraging. Standards such as
SET, even though developed in private, are nevertheless available for
public review. Companies evaluating systems need to look closely at the
design process of their security components. Top management should
verify these claims before final procurement. Hughes says, ``I fear
that unless we have a culture where anything but open security analysis
is ridiculous, we will have some spectacular and unnecessary electronic
commerce catastrophes.''

Press Contacts

For further information about the SDA refer to the
about section for contact details.